3553aa7e83e87919a72e05f8a53768dffec148e7111e28140a18bf12230a3b78

General

Target

fafa9346ee31a637ba8e51f98c501e95_JaffaCakes118.exe
Size

1.5MB
MD5

fafa9346ee31a637ba8e51f98c501e95
SHA1

575989e05e18af476ef7ab26d3557118fcc35d84
SHA256

3553aa7e83e87919a72e05f8a53768dffec148e7111e28140a18bf12230a3b78
SHA512

30c71355e3acbf59880efe044254e7e527c964d0cc06d41d7348871e51702a13c386986b6745ec20e92b3017d93cf3e68d2ae15081e896f1d4c3d51d4000ef27
SSDEEP

49152:h/b9j1ab2fxibvDy79yE4T5W9SNvBlF4LP6:BfcLDyBf4T5VSLP6

Score

7^/10

bootkit discovery persistence upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	fafa9346ee31a637ba8e51f98c501e95_JaffaCakes118.exe

Executes dropped EXE 3 IoCs

pid	Process
3536	GW.exe
1464	1.exe
940	asdew

Loads dropped DLL 10 IoCs

pid	Process
3536	GW.exe
3536	GW.exe
3536	GW.exe
1960	WerFault.exe
1984	WerFault.exe
1136	WerFault.exe
4604	WerFault.exe
1452	WerFault.exe
372	WerFault.exe
2632	WerFault.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	GW.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4892-0-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/memory/4892-19-0x0000000000400000-0x000000000041C000-memory.dmp	upx

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\asdew	1.exe
File opened for modification	C:\Windows\asdew	1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 12 IoCs

pid	pid_target	Process	procid_target
3168	3536	WerFault.exe	82
2120	3536	WerFault.exe	82
1600	3536	WerFault.exe	82
2528	3536	WerFault.exe	82
4008	3536	WerFault.exe	82
1960	3536	WerFault.exe	82
1984	3536	WerFault.exe	82
1136	3536	WerFault.exe	82
4604	3536	WerFault.exe	82
1452	3536	WerFault.exe	82
372	3536	WerFault.exe	82
2632	3536	WerFault.exe	82

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fafa9346ee31a637ba8e51f98c501e95_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GW.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	asdew

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	GW.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	GW.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Microsoft\Internet Explorer\IESettingSync	GW.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	GW.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1464	1.exe
Token: SeDebugPrivilege	940	asdew

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
940	asdew
3536	GW.exe
3536	GW.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
3536	GW.exe
3536	GW.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
3536	GW.exe
3536	GW.exe
3536	GW.exe
3536	GW.exe
3536	GW.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4892 wrote to memory of 3536	4892	fafa9346ee31a637ba8e51f98c501e95_JaffaCakes118.exe	82
PID 4892 wrote to memory of 3536	4892	fafa9346ee31a637ba8e51f98c501e95_JaffaCakes118.exe	82
PID 4892 wrote to memory of 3536	4892	fafa9346ee31a637ba8e51f98c501e95_JaffaCakes118.exe	82
PID 4892 wrote to memory of 1464	4892	fafa9346ee31a637ba8e51f98c501e95_JaffaCakes118.exe	83
PID 4892 wrote to memory of 1464	4892	fafa9346ee31a637ba8e51f98c501e95_JaffaCakes118.exe	83
PID 4892 wrote to memory of 1464	4892	fafa9346ee31a637ba8e51f98c501e95_JaffaCakes118.exe	83
PID 940 wrote to memory of 3500	940	asdew	85
PID 940 wrote to memory of 3500	940	asdew	85

C:\Users\Admin\AppData\Local\Temp\fafa9346ee31a637ba8e51f98c501e95_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fafa9346ee31a637ba8e51f98c501e95_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4892
- C:\Users\Admin\AppData\Local\Temp\Temp\GW.exe
  "C:\Users\Admin\AppData\Local\Temp\Temp\GW.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:3536
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3536 -s 1120
    3⤵
    - Program crash
    PID:3168
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3536 -s 1152
    3⤵
    - Program crash
    PID:2120
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3536 -s 1072
    3⤵
    - Program crash
    PID:1600
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3536 -s 1100
    3⤵
    - Program crash
    PID:2528
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3536 -s 1304
    3⤵
    - Program crash
    PID:4008
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3536 -s 1628
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:1960
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3536 -s 1676
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:1984
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3536 -s 2092
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:1136
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3536 -s 2108
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:4604
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3536 -s 2176
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:1452
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3536 -s 2272
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:372
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3536 -s 1064
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2632
- C:\Users\Admin\AppData\Local\Temp\Temp\1.exe
  "C:\Users\Admin\AppData\Local\Temp\Temp\1.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1464

C:\Windows\asdew
C:\Windows\asdew
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:940
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  PID:3500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3536 -ip 3536
1⤵
PID:2132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3536 -ip 3536
1⤵
PID:1980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3536 -ip 3536
1⤵
PID:1432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3536 -ip 3536
1⤵
PID:2792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3536 -ip 3536
1⤵
PID:4732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3536 -ip 3536
1⤵
PID:1128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3536 -ip 3536
1⤵
PID:2460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3536 -ip 3536
1⤵
PID:1976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 3536 -ip 3536
1⤵
PID:4432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3536 -ip 3536
1⤵
PID:4416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3536 -ip 3536
1⤵
PID:3532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3536 -ip 3536
1⤵
PID:3896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Temp\1.exe

Filesize
743KB

MD5
7d153caf9c0130fa952cd36a62623909

SHA1
9f958c4c1d65678d299b161ba782fdfc300fd834

SHA256
04fbdfc6a47e91d5a8a3695754675a334c5ca75eea741559f8cf0db4c09292c6

SHA512
6d2b62252f2513a046ecaa8eb2163aca576998cc54f5d5627e34a534ab1f29b1ae7c911fa57a90d21ce4002146087a01a652421e0ea008c4c542450502609fd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp\GW.exe

Filesize
1.1MB

MD5
90e46775bc42a8f8bb80778e425c20d2

SHA1
d90b797f146a69f034d69cf059e864a13e0d1c94

SHA256
d03a65abea494e5bc1c909f3586cd9781b81f2f7d84bf934a578c751ff31d4d3

SHA512
a0847d3a9e35cbc8bf1d85d1efa114bc355709fa19b35dd1947a0cf977a7b8025946978a613eb85a4f8958836c570a3e46084aa7a64e15744d7de75aaedacf4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\win333.nls

Filesize
287KB

MD5
a3344fbc6a9fc1814e2ccf8771180e7d

SHA1
1009f81ed3d9515b8174403094255046439d7fa0

SHA256
7799a4f5504816d45f798e4f7c66d5d3921221f405d85171ce39ec2506f099fe

SHA512
ad2fca26f0c79db461ed0f88f38227cf465737b03efc5140b9366ab8f3f9463c12f69c6f0595fa8fffb9693f810d87cca7114f142b0acb8caed858e2d17c86af

Download Submit
C:\Users\Admin\AppData\Local\Temp\win341.nls

Filesize
352KB

MD5
5462b53dcd24740d3515e4d2c8ecf918

SHA1
19af1b8a824be5d61f6cb56c4fdebb8b7867dfa5

SHA256
d033597b03bf2c87a7a4a014ac0f91539f69735533dc5b2edf754c1ad2b51472

SHA512
661d23756cb905689c46527db7613559ff2cfc0be3f132b3d92d377fc9f67b926e52899c6386bb5432be22802ee9e7825363e5f472ae918923a29be4d776589d

Download Submit
C:\Users\Admin\AppData\Local\Temp\win342.nls

Filesize
94KB

MD5
c17a46e454298e1ac81114c017748a95

SHA1
1c470d16cf5df3c29132102b6148c756d0568c01

SHA256
e666ea0f1861e2bc367b82297b856b51ba03b7ac1376dc23a86d4115d041d162

SHA512
6ffbc56b640e43ecdf232b22f99c9024102cda261be04a107a8dfabc5326f462d5f0353e5212903837943247faeff7762158636f01ed85f7dbb403eba64593ac

Download Submit
memory/940-67-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/1464-20-0x0000000002230000-0x0000000002231000-memory.dmp

Filesize
4KB

Download
memory/1464-26-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/3536-23-0x0000000002C00000-0x0000000002C01000-memory.dmp

Filesize
4KB

Download
memory/3536-14-0x0000000000400000-0x00000000006DE000-memory.dmp

Filesize
2.9MB

Download
memory/3536-64-0x0000000002C00000-0x0000000002C01000-memory.dmp

Filesize
4KB

Download
memory/3536-75-0x0000000000400000-0x00000000006DE000-memory.dmp

Filesize
2.9MB

Download
memory/4892-19-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4892-0-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads